PT-2026-40836 · Drupal · Node View Permissions
Adam Shepherd
+3
·
Published
2026-05-13
·
Updated
2026-05-27
·
CVE-2026-8491
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Node View Permissions versions 0.0.0 through 1.6.x
Node View Permissions versions 2.0.0 through 2.0.0
Description
An improper check for unusual or exceptional conditions in the Node View Permissions module allows forceful browsing. The module provides "View own content" and "View any content" permissions for each content type. The issue occurs when a user is cancelled and their content is reassigned to the anonymous user, as the module does not sufficiently handle this scenario. This affects private content that should not be accessible to anonymous users but was reassigned to them.
Recommendations
Update versions 0.0.0 through 1.6.x to version 1.7.0.
Update version 2.0.0 to version 2.0.1.
Fix
Improper Check for Exceptional Conditions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Node View Permissions